New zero-day vulnerability in Java browser plug-ins
Looks like the month of zeroday vulnerabilities continues.
Another vulnerability in Java ( CVE-2013-0422 ) is already included in several exploit packs (BlackHole Exploit Kit, Cool Exploit Kit, Nuclear Pack). Here is what the creator of the BlackHole Exploit Kit exploit pack writes:
It is reported that this vulnerability is very similar to that discovered in August in Java CVE-2012-4681. An attacker can create a malicious web page and execute arbitrary code on a vulnerable system. Powered by the latest current version of Java 1.7u10
')
The creator of Metasploit said that in the near future the described vulnerability will be included in this framework (already released , thanks to timukas ). Recalling that the vulnerability can work regardless of the OS where Java is installed. Be it Windows, Linux or MacOS.
The source code of the vulnerability as research objectives is available here and, if successful, runs the calculator on Windows systems.
As a temporary protection measure, it is recommended to disable the Java plugin in browsers.
UPD: video demonstration of the vulnerability:
UPD: Update 7u11 also does not fix the vulnerability
Another vulnerability in Java ( CVE-2013-0422 ) is already included in several exploit packs (BlackHole Exploit Kit, Cool Exploit Kit, Nuclear Pack). Here is what the creator of the BlackHole Exploit Kit exploit pack writes:
It is reported that this vulnerability is very similar to that discovered in August in Java CVE-2012-4681. An attacker can create a malicious web page and execute arbitrary code on a vulnerable system. Powered by the latest current version of Java 1.7u10
')
The creator of Metasploit said that in the near future the described vulnerability will be included in this framework (already released , thanks to timukas ). Recalling that the vulnerability can work regardless of the OS where Java is installed. Be it Windows, Linux or MacOS.
The source code of the vulnerability as research objectives is available here and, if successful, runs the calculator on Windows systems.
As a temporary protection measure, it is recommended to disable the Java plugin in browsers.
- Disable Java plug-in for Safari web browser
- Disable plugins in Google Chrome
- How to properly disable Java runtime in Opera for Windows
- Disable plugins in firefox
UPD: video demonstration of the vulnerability:
UPD: Update 7u11 also does not fix the vulnerability
Source: https://habr.com/ru/post/165379/
All Articles